In article , Mike wrote: :I don't think this exists but ...
:I an in charge of a small network at my office : an ethernet lan with :about 20 computers. :all computers are on the same network mask, use dhcp and use a gateway :to access outside world.
:Now, I would like to filter traffic between users of this lan.
:What I thought of is a way for a dhcp server to give each user a :separate network mask. Then, the gateway should listen on an adresse on :each network mask and act as a gateway between all those "virtual :networks".
If you are going to give each of them different network masks, then you might as well give each of them a different subnet.
Unfortunately, if they are Windows then they are likely using NETBIOS which uses segment broadcasts, so even with different subnets they would see the NETBIOS broadcasts. And if they happened to fail DHCP then they'd use Zero Configuration (164.159.*.*) IPs and talk to each other directly...
So what you need to do is move them each onto their own segment.
Some of the Cisco multilayer switches can enforce that traffic is not permitted directly between client ports without going through a designated control port.
Or you could build a gateway computer (or several) with a whole bunch of NICs. Be careful with multiport NICs, as often those ports are switched together instead of being totally isolated.
If you were to use a Cisco PIX 535 or FWSM or one of the higher-end Cisco ASA, then you could put each host into a distinct VLAN, forcing them to go through the firewall to talk to each other. (Several other PIX also support VLANs, but the 535 is the only PIX that supports enough VLANs for all of your hosts.)
There is another possibility: there exists equipment, designed for use in places like hotels, which takes in -whatever- IP range the client host is using, and talks to it in that range, each port independantly (as if they were in different ranges.) This would prevent your hosts from talking to each other except by going through outside systems.